In an email to its members today, popular crowdfunding platform Kickstarter announced that it had been hacked, and that thieves had made off with personal information and other user data.
According to a blog post on their website, Kickstarter was informed by law enforcement that hackers had breached security and taken user data - which included usernames, email addresses, phone numbers, mailing addresses and passwords. Kickstarter closed the security breach, but warned that while info such as passwords were encrypted, hackers may be able to crack the encryption with 'enough computing power'. From the blog post:
While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.
Kickstarter apologized for the breach, saying that they would take steps to improve their security in the future. They also recommended that Kickstarter users change the password for their account and any other accounts which share the same password.
On the bright side, however, the site informed users that their credit card data had not been stolen - something which many may have been worried about, considering the recent high-profile breaches of Target and other retailers in which 110 million credit cards were compromised.
According to a tweet from Kickstarter, their older passwords are encrypted in SHA-1, while newer passwords use bcrypt. While both methods of encryption are breachable, the addition of an encryption algorithm makes data much more safe than data which is unencrypted - which may allow users to rest more comfortably.
Source: CNet via reddit | Image via FourHourWorkWeek.com